diff options
| author | ager@google.com <ager@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-11-04 13:02:55 +0000 |
|---|---|---|
| committer | ager@google.com <ager@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-11-04 13:02:55 +0000 |
| commit | 8c24781522df3715ba67507cf39749e487357fe6 (patch) | |
| tree | 245279b18d125aa10531928bb5105483f81a0efa /webkit | |
| parent | 227b893438d86342020ee9b4a7cbf17b03d4452b (diff) | |
| download | chromium_src-8c24781522df3715ba67507cf39749e487357fe6.zip chromium_src-8c24781522df3715ba67507cf39749e487357fe6.tar.gz chromium_src-8c24781522df3715ba67507cf39749e487357fe6.tar.bz2 | |
Fix two issues with window.location:
- Disallow shadowing of window.location using __defineGetter__ and
__defineSetter__.
- Make sure that funtions such as toString on location objects cannot
be overwritten by user functions.
This needs V8 revision 656. This will be put back once we have pushed
that version.
Review URL: http://codereview.chromium.org/8737
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@4598 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'webkit')
| -rw-r--r-- | webkit/data/layout_tests/chrome/fast/dom/location-shadowing-expected.txt | 5 | ||||
| -rw-r--r-- | webkit/data/layout_tests/chrome/fast/dom/location-shadowing.html | 49 | ||||
| -rw-r--r-- | webkit/port/bindings/scripts/CodeGeneratorV8.pm | 26 | ||||
| -rw-r--r-- | webkit/port/page/DOMWindow.idl | 2 | ||||
| -rw-r--r-- | webkit/port/page/Location.idl | 12 |
5 files changed, 81 insertions, 13 deletions
diff --git a/webkit/data/layout_tests/chrome/fast/dom/location-shadowing-expected.txt b/webkit/data/layout_tests/chrome/fast/dom/location-shadowing-expected.txt new file mode 100644 index 0000000..a9b2554 --- /dev/null +++ b/webkit/data/layout_tests/chrome/fast/dom/location-shadowing-expected.txt @@ -0,0 +1,5 @@ +PASS +PASS +PASS +PASS + diff --git a/webkit/data/layout_tests/chrome/fast/dom/location-shadowing.html b/webkit/data/layout_tests/chrome/fast/dom/location-shadowing.html new file mode 100644 index 0000000..6e9bac4 --- /dev/null +++ b/webkit/data/layout_tests/chrome/fast/dom/location-shadowing.html @@ -0,0 +1,49 @@ +<html> +<body onload="test()"> +<script> +// This tests that the location property on the window object +// cannot be overwritten by using accessors defined using +// __defineGetter__ and __defineSetter__ and that functions +//on location objects are read-only. + +if (window.layoutTestController) { + layoutTestController.dumpAsText(); +} + +function check(passed) { + if (passed) { + document.write("PASS<br>"); + } else { + document.write("FAIL<br>"); + } +} + +var locationFunctions = ["reload", "replace", "assign", "toString"]; + +function overwrite() { return 'overwrite'; }; + +function testFunctionOverwrite() { + for (var i = 0; i < locationFunctions.length; i++) { + location[locationFunctions[i]] = overwrite; + check(location[locationFunctions[i]] != overwrite); + } +} + +function failIfCalled() { check(false); } + +function testAccessorOverwrite() { + __defineGetter__("location", failIfCalled); + var l = location; + window.__defineGetter__("location", failIfCalled); + l = window.location; + this.__defineGetter__("location", failIfCalled); + l = this.location; +} + +function test() { + testFunctionOverwrite(); + testAccessorOverwrite(); +} +</script> +</body> +</html> diff --git a/webkit/port/bindings/scripts/CodeGeneratorV8.pm b/webkit/port/bindings/scripts/CodeGeneratorV8.pm index 1da6318..1526b88 100644 --- a/webkit/port/bindings/scripts/CodeGeneratorV8.pm +++ b/webkit/port/bindings/scripts/CodeGeneratorV8.pm @@ -958,15 +958,20 @@ sub GenerateImplementation my $accessControl = "v8::DEFAULT"; if ($attrExt->{"DoNotCheckDomainSecurityOnGet"}) { - $accessControl = "v8::ALL_CAN_READ"; + $accessControl = "v8::ALL_CAN_READ"; } elsif ($attrExt->{"DoNotCheckDomainSecurityOnSet"}) { - $accessControl = "v8::ALL_CAN_WRITE"; + $accessControl = "v8::ALL_CAN_WRITE"; } elsif ($attrExt->{"DoNotCheckDomainSecurity"}) { - $accessControl = "v8::ALL_CAN_READ"; + $accessControl = "v8::ALL_CAN_READ"; if (!($attribute->type =~ /^readonly/)) { - $accessControl = "(v8::AccessControl)(v8::ALL_CAN_READ | v8::ALL_CAN_WRITE)"; + $accessControl .= "|v8::ALL_CAN_WRITE"; } } + if ($attrExt->{"v8ProhibitsOverwriting"}) { + $accessControl .= "|v8::PROHIBITS_OVERWRITING"; + } + $accessControl = "static_cast<v8::AccessControl>(" . $accessControl . ")"; + my $customAccessor = $attrExt->{"Custom"} || $attrExt->{"CustomSetter"} || $attrExt->{"CustomGetter"} || ""; if ($customAccessor eq 1) { @@ -1108,9 +1113,17 @@ END if ($attrExt->{"DontEnum"}) { $property_attributes .= "|v8::DontEnum"; } + if ($attrExt->{"ReadOnly"}) { + $property_attributes .= "|v8::ReadOnly"; + } my $commentInfo = "Function '$name' (ExtAttr: '" . join(' ', keys(%{$attrExt})) . "')"; + my $template = "proto"; + if ($attrExt->{"v8OnInstance"}) { + $template = "instance"; + } + if ($attrExt->{"DoNotCheckDomainSecurity"} && ($dataNode->extendedAttributes->{"CheckDomainSecurity"} || $interfaceName eq "DOMWindow")) { # Mark the accessor as ReadOnly and set it on the proto object so @@ -1126,13 +1139,13 @@ END # accessing '__proto__' # # The solution is very hacky and fragile, it really needs to be replaced - # by a better solution. + # by a better solution. $property_attributes .= "|v8::ReadOnly"; push(@implContent, <<END); // $commentInfo - proto->SetAccessor( + $template->SetAccessor( v8::String::New("$name"), ${interfaceName}Internal::${name}AttrGetter, 0, @@ -1143,7 +1156,6 @@ END next; } - my $template = "proto"; my $signature = "default_signature"; if ($attrExt->{"v8DoNotCheckSignature"}){ $signature = "v8::Local<v8::Signature>()"; diff --git a/webkit/port/page/DOMWindow.idl b/webkit/port/page/DOMWindow.idl index c6f51f3..a0a94b2 100644 --- a/webkit/port/page/DOMWindow.idl +++ b/webkit/port/page/DOMWindow.idl @@ -52,7 +52,7 @@ module window { attribute [Replaceable] BarInfo toolbar; attribute [Replaceable] Navigator navigator; attribute [Replaceable, v8referenceattr=navigator] Navigator clientInformation; - attribute [DoNotCheckDomainSecurity, CustomSetter] Location location; + attribute [DoNotCheckDomainSecurity, CustomSetter, v8ProhibitsOverwriting] Location location; DOMSelection getSelection(); diff --git a/webkit/port/page/Location.idl b/webkit/port/page/Location.idl index 473522a..092b81d 100644 --- a/webkit/port/page/Location.idl +++ b/webkit/port/page/Location.idl @@ -13,10 +13,12 @@ module core { attribute DOMString protocol; attribute DOMString search; - [DoNotCheckDomainSecurity] void reload(in boolean forceget); - [DoNotCheckDomainSecurity] void replace(in DOMString url); - [DoNotCheckDomainSecurity] void assign(in DOMString url); - - [DontEnum] DOMString toString(); + // For security reasons, these functions are on the instance + // instead of on the prototype object to insure that they cannot + // be overwritten. + [DoNotCheckDomainSecurity, v8OnInstance] void reload(in boolean forceget); + [DoNotCheckDomainSecurity, v8OnInstance] void replace(in DOMString url); + [DoNotCheckDomainSecurity, v8OnInstance] void assign(in DOMString url); + [ReadOnly, DontEnum, v8OnInstance] DOMString toString(); }; } |